11

2025-12-08 23:31:05 +01:00
parent 6b9587d299
commit 2a167c0c4d
1 changed files with 29 additions and 7 deletions
--- a/src/ApiKernel.php
+++ b/src/ApiKernel.php
@@ -97,14 +97,36 @@ class ApiKernel
        $this->fail('Invalid config', 'config file not found or not returning array', 500);
    }
    private function cors(): void { /* ... Logik bleibt unverändert ... */
-        $cors = $this->conf['cors'] ?? '*';
+        $corsConfig = $this->conf['cors'] ?? '*';
-        if ($cors) {
+        $originHeader = $_SERVER['HTTP_ORIGIN'] ?? '';
-            header('Access-Control-Allow-Origin: ' . $cors);
+        $allowedOrigin = null;
        if (is_array($corsConfig)) {
            if ($originHeader && in_array($originHeader, $corsConfig, true)) {
                $allowedOrigin = $originHeader;
            }
        } elseif (is_string($corsConfig)) {
            if ($corsConfig === '*' && $originHeader !== '') {
                $allowedOrigin = $originHeader;
            } else {
                $allowedOrigin = $corsConfig;
            }
        }
        if ($allowedOrigin) {
            header('Access-Control-Allow-Origin: ' . $allowedOrigin);
            header('Vary: Origin');
            header('Access-Control-Allow-Credentials: true');
        } elseif ($corsConfig === '*') {
            header('Access-Control-Allow-Origin: *');
        }
        header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
        header('Access-Control-Allow-Headers: Content-Type, Authorization');
-            header('Access-Control-Allow-Credentials: true');
+
        if (($_SERVER['REQUEST_METHOD'] ?? 'GET') === 'OPTIONS') {
            $this->respond(['ok' => true]);
        }
        if (($_SERVER['REQUEST_METHOD'] ?? 'GET') === 'OPTIONS') $this->respond(['ok' => true]);
        if (!empty($this->conf['auth']['cookie'])) {
            $c = $this->conf['auth']['cookie'];